PRISM Isn’t Data Mining and Other Falsehoods in the N.S.A. “Scandal”

A few days ago, I wrote in some detail about the National Security Agency’s data-mining program in hopes of calming the hysteria that has been whipped up in the last number of days by incorrect and misleading reports, as well as by plenty of ill-informed commentary based on those errors. At this point, I’ve decided that I need to tell a little bit more.

Some explanation up front: I spent seven years investigating the national-security systems and policies established in the aftermath of the 9/11 attacks for my book 500 Days.I learned a fair amount about the data-mining programs of the N.S.A. and wrote about it. I summarized those findings in my last post. However, now it has become obvious to me that I need to go further than I did in my book, at least in hopes of calming things down. When discussing errors, I’m going to mention “reports” regarding news articles, but I’m not going to identify them—the last thing I want is for this to become a back-and-forth between reporters.

First, the much-ballyhooed PRISM program is not a program and not a secret, and anyone who says it is should not be trusted because they don’t know what they’re talking about. PRISM is the name for the government computer system that is used to handle the foreign-intelligence data collected under Section 702 of the Foreign Intelligence Surveillance Act.

Those rules are very specific. The targeting can only be of foreign nationals outside the United States. These are the restrictions:

The N.S.A. may not intentionally target any person known at the time of acquisition to be located in the United States; (2) may not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States; (3) may not intentionally target a United States person reasonably believed to be located outside the United States; (4) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and (5) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.

There are many other restrictions and requirements on how data can be properly obtained and used in the PRISM system. But since this doesn’t require some secret, confidential source to understand, I invite you to click on the link I provided above and read through the law.

However, targeting is not done willy-nilly. The system is subject to review by the judiciary, the Congress, and the executive branch. Both the attorney general and the director of the N.S.A. must make a determination that they “reasonably believe” a person they wish to target is, in fact, a foreign national outside the country whose activities raise national-security concerns for the United States. That standard, of course, is lower than probable cause, which is a small part of why any information obtained can’t be used in a criminal case.

Courts established under the Foreign Intelligence Surveillance Act review these determinations and must approve the targeting. (Much has been made of the fact that these approvals appear to be given frequently, with some saying the F.I.S.A. courts are just rubber stamps. I disagree; given the requirements for prior review and assessment at the top of the executive branch, a high approval rate for subpoenas would be expected. I’d be more concerned if they were frequently rejected, because that would signal the executive branch was probably attempting to abuse the system.)

Now, anyone who discusses this process without also mentioning minimization procedures is also either very uninformed or intentionally hyping the story. Minimization is a term of art in the world of NSA intercepts which essentially means “stay out of American citizen’s business.” If information about specific Americans (or even foreigners inside the United States) is captured, those details must be removed from all records and cannot be shared with any other entity in the government unless it is necessary to understand and interpret related foreign intelligence or to protect lives from criminal threats. But passing intelligence information to criminal investigators requires several layers of review and is not easily approved; minimization procedures are meant to insure that information collected by the NSA isn’t used in routine criminal investigations.

In other words, the NSA doesn’t give a damn about you swapping recipes with your Aunt Edith—or even your decision to email your drug dealer (foolish as that might be.) And the NSA doesn’t get to establish the minimization procedures on its own—those, too, have to be approved by the FISA courts.

In the past, some minimization procedures bordered on the absurd: for example, pre–9/11, the rules said that the name of companies based in the United States could not be used in communications transmitted from the N.S.A. to other intelligence or law-enforcement bodies. So, suppose the N.S.A. learned through signals intel that a known terrorist was flying at noon on June 20 from Frankfurt to New York on Delta flight no. 2012. Any communication could identify the terrorist, locations, date, and time; however, the C.I.A. and F.B.I. couldn’t be told they were flying in on Delta. Based in Atlanta, you see.

As for the purported secrecy of this program—folks haven’t been listening. Section 702 was widely debated and parsed through by the Congress before its adoption in 2008 (under the Bush administration). It was widely debated and parsed through by Congress before its re-authorization in December 2012 (under the Obama administration). Any supposed expert who feigns surprise here is, once again, either uninformed or hyping.

Getting deeper into the weeds: some news reports have said that companies like Google, Facebook, and the like allowed the government to have “direct access” to their servers through the actually-not-a-program “PRISM program.” That’s false.

The reality is that these companies have been, at times, compelled to turn over data after the receipt of a subpoena. (And remember, that subpoena was issued by a F.I.S.A. court, after the Justice Department and the N.S.A. were able to establish that the information being sought related solelyto a foreign national overseas about whom the government had probable cause to believe was involved in activities threatening the national security of the United States.)

In an attempt to get reporters off the “the government has direct access to your accounts through direct server access” falsehood, Google put out a statement about how it didprovide information. It utilized what is known as an FTP—a common, secure network protocol for transferring encrypted files from one entity to another. This was portrayed in one news report as Google turning over whatever the government wants whenever it is asked, but last I checked, all companies are required to comply with a valid subpoena—whether approved by a F.I.S.A. court or some other court—or face charges. (And before someone launches into the “F.I.S.A. is secret” wail, remember this: so are grand-jury investigations that result in subpoenas being issued in criminal cases.)

What kind of information is needed? Sometime after 9/11, al-Qaeda members figured out that a great way to transmit information over the Internet was by not transmitting it at all. Instead, a terrorist would open an account with a free service like Hotmail or Google, write an e-mail, and rather than sending it or even writing in the address of a recipient, would store it in a “draft” folder. Then, through other means such as a satellite phone or another e-mail account, a coded message would be sent to the planned recipient telling him the account name and the password. The recipient would know to open the account, check the draft file, and then delete the account. Once the N.S.A. knew through other means of the existence of the message, it would gain access to the temporary account through a court-issued subpoena to the company, read the secret message, and watch what happened. By 2010, though, the terrorists figured out this wasn’t working anymore and changed tactics.

So, if the information the government is obtaining isn’t from direct access to the servers, and the subpoenas are issued only aftera foreign national has been targeted, where does the data come from? There is data scooping, but not like you think.

A quick technical explanation is needed. Data going across the Internet does not follow a set path—if you send an e-mail from New York to Boston, it doesn’t hop Amtrak and make a beeline to Massachusetts. Instead, it is broken up into data packets, which can go through switches anywhere in the world. In other words, if the N.S.A. was monitoring Internet servers in Pakistan, it very well couldpick up information from that recipe e-mail to Aunt Edith, and under the rules as they existed pre–9/11, that was a huge no-no.

And so the rules were changed to deal with the realities of modern technology. As their authority expanded, intelligence folks recognized that al-Qaeda was utilizing what are known as “international gateway switches,” which are simply technological junctions between overseas telecommunications grids and those in the United States. Because the terrorists were using those switches in their communications, the N.S.A. was able to identify them as “facilities” under the F.I.S.A. rules The requirements under the law can be quite technical, but if the F.I.S.A. courts accept an N.S.A. designation of a particular entity under the term “facility,” it streamlines the continued review and approval process for warrants. It streamlines the continued review and approval process for warrants. (To make it simple: if I wanted to monitor the Mafia, I could either conduct surveillance of Joey the Knife’s phones or have a facility such as the Mob Social Club identified as the facility being monitored. In one case, I would only hear what Joey says, and if I wanted to know more, I would have to apply for another warrant on another individual. With the facility warrant, I would be able to hear all of the criminal activities discussed, regardless of who did the talking. In this instance, the international switches are the Mob Social Club.) So, with just a few court orders, the N.S.A. was able to obtain almost all Internet and telecommunications traffic data traveling in and out of the United States through the international switches.

Of course, it’s impossible to stop a packet of data, interview it, and determine whether it is from a foreign national. So, information to and from Americans was also collected by the court-authorized surveillance of the gateway switches (thisis the closest thing that exists to “direct access to servers,” and it has nothing to do with the Googles of the world). But, without additional authority granted by the court (through a showing of probable cause about a particular suspect), no one can listen to or read the private information flowing through the switches. Metadata is collected, but the N.S.A. can only target foreign nationals overseas for more detailed analysis.

I’m not comfortable getting into too much detail (some sources I interviewed during my reporting for the book placed limits on what I could publicly reveal about active programs as part of their agreement to speak with me). But I can say for a fact that this data-mining and telecommunications program has had significant successes. For example, a network of terrorists at least twice attempted to spirit strontium 90 from Uzbekistan into Kazakhstan; both of those times the smuggling was stopped, once through traditional intelligence activities, and once through the use of the data-mining program. Specific cyber-attacks have been stopped, and strategic plans of terrorist groups obtained. However, it has to be understood that data mining is not a single tool—rather, it is part of a broad array of intelligence-gathering activities, and is rarely used alone to prove a national-security risk.

So, that is the truth about what everyone is mistakenly calling PRISM. There is, of course, more information about these programs, and I summarized some of it in my last piece. Feel free to read it, too.

My hope is that these explanations will make it clear why even I, as a civil libertarian, have no problem with data-mining programs. The information being obtained by the government entails far fewer privacy issues and danger of abuse than exists in your taxes or the census. Sure, people could make the argument that this could be the slippery slope to some sort of effort by the government to monitor your porn subscriptions, but . . . really?The N.S.A. is downloading petabytes of data every day with so many anonymizers and protections in place, it is incomprehensible to imagine (and illegal and technologically problematic) that someone would just somehow start surfing through private records. To me, the slippery-slope argument makes as much sense as the N.R.A.’s position that, if we use background checks to keep guns out of the hands of criminals, the United States is on the way to the seizure of weapons. And they make the same silly argument—they think that the government invades their privacy by running those checks.

As Supreme Court Justice Robert Jackson said in a 1949 dissent, the Constitution is not a suicide pact. Creating absurd hurdles to protect against imaginary threats that instead open the door to real threats is self-defeating. We all need to calm down, recognize that no one is listening to our phone calls or reading our e-mails or hiding under our beds. These are programs that have been adopted very carefully, for a specific purpose. And for all those hypocrites who first wail that the Boston bombing wasn’t stopped, and now wail about a workingprogram that has successfully impeded real terror attacks, I have this to say: shut up, Mr. Hannity. And you too, those of you critics hoping to turn a Bush program into an Obama scandal. Or, as Republicans were wont to say during the Bush administration: Why do you hate America? And why do you support the terrorists? (I’m being sarcastic.)